Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.




Linux Systems Admin
987 posts

Ultimate Geek
+1 received by user: 166

Trusted
Integrity Tech Solutions
Subscriber

Topic # 236175 21-May-2018 21:08
Send private message

Simply enabling the IPV6 package (disabled by default) causes the router to not be able to connect to the internet. PPPoE connect attempts fail with no useful information in the log.

 

Has someone else seen this weird issue before?


View this topic in a long page with up to 500 replies per page Create new topic
 1 | 2
5310 posts

Uber Geek
+1 received by user: 1793


  Reply # 2020081 21-May-2018 21:13
Send private message

Not seen that, however, /system logging (and assuming winbox/webfig) add a new log type with no topics selected, and action memory. That should enable more info in the log to troubleshoot. Delete or disable that rule though when finished or it will overrun the log very quickly.




Linux Systems Admin
987 posts

Ultimate Geek
+1 received by user: 166

Trusted
Integrity Tech Solutions
Subscriber

  Reply # 2020090 21-May-2018 21:40
Send private message

For equally unknown reasons it has now decided to work as far as connecting. But I still don't have working IPV6.

 

The 'howtos' I have found so far indicate the way to do this with Mikrotik is to run a DHCPv6 client on the WAN interface. This does not appear to be working either showing status of "searching". Additionally, none of the advice topology I have found refloects how things are done here, leaving me to fill in the blanks.

 

Should this client run on vlan 10 or the pppoe interface?

 

Is the advice wrong and there is another way?

 

What I have done so far:

 

ipv6 / dhcpv6-client

 

interface = dialer0 (pppoe interface)

 

request = prefix

 

pool name = ipv6-pool

 

add default route = yes


 
 
 
 


186 posts

Master Geek
+1 received by user: 31


  Reply # 2020488 22-May-2018 16:17
Send private message

I've had no trouble running IPv6 on PPPoE on VLAN 10.

 

 

 

The DHCP Client should be listening on the interface where you get your IPv4 public IP - so if you're using PPPoE, it should be on the PPPoE interface.

 

 

 

I've never had the IPv6 module break IPv4. If you have a default-deny policy on your ipv6 firewall (as you should..) you'll need to allow DHCPv6

 

 

 

Which ISP are you with?




Linux Systems Admin
987 posts

Ultimate Geek
+1 received by user: 166

Trusted
Integrity Tech Solutions
Subscriber

  Reply # 2020489 22-May-2018 16:19
Send private message

MattR:

 

The DHCP Client should be listening on the interface where you get your IPv4 public IP - so if you're using PPPoE, it should be on the PPPoE interface.

 

 

 

I've never had the IPv6 module break IPv4. If you have a default-deny policy on your ipv6 firewall (as you should..) you'll need to allow DHCPv6

 

 

 

Which ISP are you with?

 

 

So my config should be "correct" then... I am with InspireNet.

 

The IPV6 module thing was weird. It appeared to break it but next time it worked... No explanation.


186 posts

Master Geek
+1 received by user: 31


  Reply # 2020494 22-May-2018 16:58
Send private message

I'm on 2degrees, so I'm just guessing here.

 

 

 

In the DHCPv6 Client config, which requests do you have? Try "prefix" only - not info or address.

 

 

 

Edit: I see you've already got that..




Linux Systems Admin
987 posts

Ultimate Geek
+1 received by user: 166

Trusted
Integrity Tech Solutions
Subscriber

  Reply # 2020495 22-May-2018 16:59
Send private message

MattR:

 

In the DHCPv6 Client config, which requests do you have? Try "prefix" only - not info or address.

 

 

That's what I have, thanks.

 

As follows:

 

ipv6 / dhcpv6-client

 

interface = dialer0 (pppoe interface)

 

request = prefix

 

pool name = ipv6-pool

 

add default route = yes


186 posts

Master Geek
+1 received by user: 31


  Reply # 2020516 22-May-2018 17:33
Send private message

Inspire's IPv6 page says you need to email them to get it enabled, I assume you've done that?

 

 

 

Are you firewalling icmp6 and/or udp/546?

 

 

 

Can't think of any other reason why it wouldn't work.

 

 




Linux Systems Admin
987 posts

Ultimate Geek
+1 received by user: 166

Trusted
Integrity Tech Solutions
Subscriber

  Reply # 2020522 22-May-2018 17:42
Send private message

MattR:

 

Inspire's IPv6 page says you need to email them to get it enabled, I assume you've done that?

 

Are you firewalling icmp6 and/or udp/546?

 

 

I was alocated a /56 at the time of setting up the account.

 

I don't see anything mentioned under IP / Firewall or IPV6 / Firewall.

 

But it doesn't say what the default is and I am not yet familiar enough with Mikrotik.

 

Is this something which needs to be explicitly set?


186 posts

Master Geek
+1 received by user: 31


  Reply # 2020535 22-May-2018 18:10
Send private message

default is allow, so you'll want to configure some rules. Leaving it open to the world is a very bad idea. Do IPv4 right now - there are multiple exploits that target the management interface of the Mikrotik unless it's a very recent OS version.




Linux Systems Admin
987 posts

Ultimate Geek
+1 received by user: 166

Trusted
Integrity Tech Solutions
Subscriber

  Reply # 2020578 22-May-2018 18:59
Send private message

MattR:

 

default is allow, so you'll want to configure some rules. Leaving it open to the world is a very bad idea. Do IPv4 right now - there are multiple exploits that target the management interface of the Mikrotik unless it's a very recent OS version.

 

 

I have already restricted access to the management interface and it's the latest O/S. But good advice thanks.


3289 posts

Uber Geek
+1 received by user: 664

Trusted

  Reply # 2020742 22-May-2018 21:25
One person supports this post
Send private message

If you ask mikrotik support "It will be fixed in ROS 7"





Ray Taylor
Taylor Broadband (rural hawkes bay)
www.ruralkiwi.com

There is no place like localhost
For my general guide to extending your wireless network Click Here






Linux Systems Admin
987 posts

Ultimate Geek
+1 received by user: 166

Trusted
Integrity Tech Solutions
Subscriber

  Reply # 2021121 23-May-2018 13:05
Send private message

Inspire have fixed the issue (configuration problem at their end) and I now have IPV6 (yay!), however, all my DMZ IPV4 traffic is now showing at the remote end as originating from the WAN IP address and not the host's statically assigned publicly-routable IPV4 address.

 

I have covered the obvious bases - checked the host has it's correct IPV4 address configured. Check.

 

Plugged my Cisco back in and the problem is fixed so it's definately at my end.

 

It appears what is happening is the Mikrotik is NATing IPV4 even though it doesn't need to NAT hosts in the DMZ vlan.

 

Whether this is a consequence of enabling IPV6 or something I have just noticed, I don't know. I have only had the Mikrotik for about a week. I disabled IPV6 by stopping the DHCPv6 client and the issue persisisted.

 

Can anyone here shed some light on what is happening please? I will continue to Google for a resolution.

 

In Cisco terminology, I assume what's needed is to specify an internal interface for "nat inside".


2142 posts

Uber Geek
+1 received by user: 389

Lifetime subscriber

  Reply # 2021141 23-May-2018 13:23
One person supports this post
Send private message

You need to look at any masquerade/srcnat rules and apply to a specific source address only (rather than all).




Linux Systems Admin
987 posts

Ultimate Geek
+1 received by user: 166

Trusted
Integrity Tech Solutions
Subscriber

  Reply # 2021147 23-May-2018 13:38
Send private message

Spyware:

 

You need to look at any masquerade/srcnat rules and apply to a specific source address only (rather than all).

 

 

Thanks for that. All fixed now.

 

I have learned a new some new Mikrotik stuff today. :-)


6477 posts

Uber Geek
+1 received by user: 408

Trusted
Subscriber

  Reply # 2021153 23-May-2018 13:56
One person supports this post
Send private message

You should put a srcnat accept rule before the srcnat masqerade rule that filters the specific addresses in the firewall nat

 

Cyril


 1 | 2
View this topic in a long page with up to 500 replies per page Create new topic



Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Geekzone Live »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.